On Extracting Common Random Bits From Correlated Sources on Large Alphabets

Transcription

1 University of Pennsylvania ScholarlyCommons Statistics Papers Wharton Faculty Research On Extracting Common Random Bits From Correlated Sources on Large Alphabets Siu On Chan Elchanan Mossel University of Pennsylvania Joe Neeman Follow this and additional works at: Part of the Computer Sciences Commons, and the Statistics and Probability Commons Recommended Citation On Chan, S., Mossel, E., & Neeman, J. (2014). On Extracting Common Random Bits From Correlated Sources on Large Alphabets. IEEE Transactions on Information Theory, 60 (3), This paper is posted at ScholarlyCommons. For more information, please contact

2 On Extracting Common Random Bits From Correlated Sources on Large Alphabets Abstract Suppose Alice and Bob receive strings X=(X 1,...,X n ) and Y=(Y 1,...,Y n ) each uniformly random in [s] n, but so that X and Y are correlated. For each symbol i, we have that Y i =X i with probability 1-ε and otherwise Y i is chosen independently and uniformly from [s]. Alice and Bob wish to use their respective strings to extract a uniformly chosen common sequence from [s] k, but without communicating. How well can they do? The trivial strategy of outputting the first k symbols yields an agreement probability of (1-ε+ε/s) k. In a recent work by Bogdanov and Mossel, it was shown that in the binary case where s=2 and k=k(ε) is large enough then it is possible to extract k bits with a better agreement probability rate. In particular, it is possible to achieve agreement probability (kε) -1/2 2 -kε/(2(1-ε/2)) using a random construction based on Hamming balls, and this is optimal up to lower order terms. In this paper, we consider the same problem over larger alphabet sizes s and we show that the agreement probability rate changes dramatically as the alphabet grows. In particular, we show no strategy can achieve agreement probability better than (1-ε) k (1+δ(s)) k where δ(s) 0 as s. We also show that Hamming ball-based constructions have much lower agreement probability rate than the trivial algorithm as s. Our proofs and results are intimately related to subtle properties of hypercontractive inequalities. Keywords hamming codes, probability, random processes, 1-ε probability, hamming ball-based constructions, agreement probability rate, common random bit extraction, correlated sources, hypercontractive inequalities, large alphabet size, lower order terms, random construction, trivial algorithm, correlation, information theory, joints, noise, noise measurement, protocols, upper bound, randomness extraction, hypercontractivity, symmetric channels Disciplines Computer Sciences Statistics and Probability This journal article is available at ScholarlyCommons:

3 On extracting common random bits from correlated sources on large alphabets Siu On Chan 2, Elchanan Mossel 1,2, and Joe Neeman 1 1 Department of Statistics, UC Berkeley 2 Department of Computer Science, UC Berkeley January 24, 2014 Abstract Suppose Alice and Bob receive strings X = (X 1,..., X n ) and Y = (Y 1,..., Y n ) each uniformly random in [s] n but so that X and Y are correlated. For each symbol i, we have that Y i = X i with probability 1 ɛ and otherwise Y i is chosen independently and uniformly from [s]. Alice and Bob wish to use their respective strings to extract a uniformly chosen common sequence from [s] k but without communicating. How well can they do? The trivial strategy of outputting the first k symbols yields an agreement probability of (1 ɛ + ɛ/s) k. In a recent work by Bogdanov and Mossel it was shown that in the binary case where s = 2 and k = k(ɛ) is large enough then it is possible to extract k bits with a better agreement probability rate. In particular, it is possible to achieve agreement probability (kɛ) 1/2 2 kɛ/(2(1 ɛ/2)) using a random construction based on Hamming balls, and this is optimal up to lower order terms. In the current paper we consider the same problem over larger alphabet sizes s and we show that the agreement probability rate changes dramatically as the alphabet grows. In particular we show no strategy can achieve agreement probability better than (1 ɛ) k (1 + δ(s)) k where δ(s) 0 as s. We also show that Hamming ball based constructions have much lower agreement probability rate than the trivial algorithm as s. Our proofs and results are intimately related to subtle properties of hypercontractive inequalities. Supported by NSF grant DMS and DOD ONR grant N Supported by NSF grant DMS and DOD ONR grant N Supported by NSF grant DMS and DOD ONR grant N

4 1 Introduction For an integer s 2, consider two [s] n -valued random variables X, Y (where [s] = {0, 1,..., s 1}) which are sampled by first choosing X uniformly and then, independently for every coordinate i, taking Y i to be a copy of X i with probability 1 ɛ and an independent sample from [s] otherwise. We will write P ɛ for this joint distribution on X and Y. Note that X and Y are both uniformly distributed in [s] n. The non-interactive correlation distillation (NICD) is defined as follows: suppose that one party (Alice) receives X and another (Bob) receives Y. Without any communication, each party chooses a string that is uniformly distributed in [s] k with the goal of maximizing the probability that the two strings chosen by Alice and Bob are identical. 1.1 Motivation and Related Work This problem was studied in [1] in the case s = 2, with motivation from various areas. One major motivation comes from the goal of extracting a unique identification string from process variations [3, 12], particularly in a noisy setup [9]. The case where the goal of the two parties is to extract a single bit was studied independently a number of times; in this case the optimal protocol is for the two parties to use the first bit. See [11] for references and for studying the problem of extracting one bit from two correlated sequences with different correlation structures. In [4, 5] a related question is studied: if m parties receive noisy versions of a common random string, where the noise of each party is independent, what is the strategy for the m parties that maximizes the probability that the parties agree on a single random bit of output without communicating? [4] shows that for large m using the majority functions on all bits is superior to using a single bit and [5] uses hypercontractive inequalities to show that for large m, majority is close to being optimal. Both results were recently extended to general string spaces in [6]. For any k N, one protocol which we will call the trivial protocol is for both parties to take the first k symbols of their strings. The success probability of this protocol is (1 (1 1 s )ɛ)k exp( kɛ(1 1 s )). When s = 2 and the protocol outputs a single bit (ie. k = 1), it is known (see e.g. [4]) that the optimal protocol is for both parties to choose the first bit. For larger k, this is no longer true. Bogdanov and Mossel [1] studied the case s = 2, and showed that any protocol which outputs a uniformly random length-k string 2

5 has a success probability of at most exp( kɛ(ln 2)/2). In other words, if p is the success probability of the trivial algorithm for choosing a k-bit string, then every protocol with success probability at least p emits at most k/ ln 2 bits. Bogdanov and Mossel showed that their bound was sharp by providing an example (for a restricted range of ɛ and k) with success probability which, for any δ > 0, is at least exp( kɛ(1 + δ)/2) for small ɛ and large k. In other words, if p is the success probability of the trivial algorithm for choosing a k-bit string, then they gave a protocol that succeeds with probability p and produces a string of length k/((1 + δ) ln 2). Their construction was built by taking random translations of Hamming balls; we will return to it in more detail later. 1.2 Our results We study an extension of the upper bound of [1] to a larger alphabet. In our main result we show that in the case of large alphabets, the constant-factor gap between the upper bound and the performance of the trivial algorithm vanishes; hence, the trivial algorithm is almost optimal for large alphabets. In particular we show no strategy can achieve agreement probability better than (1 ɛ) k (1 + δ(s)) k where δ(s) 0 as s. We then turn to analyze generalizations of the Hamming ball based construction of [1]. Interestingly we show that these have much lower agreement probability rate than the trivial algorithm as s. In this respect it is interesting to compare the case of a large number of parties that extract a single symbol to the case of two parties who extract a longer string. In the first case, the results of [6] generalize those of [4,5] to show that Hamming ball based protocols are almost optimal for all values of s when the number of parties m is large. In the case presented here, Hamming ball type constructions quickly deteriorate as s increases and the trivial protocol becomes almost optimal. The difference between the two phenomena may be explained by the fact that the problem studied in [4,5] is closely related to reverse-hypercontractive inequalities which hold uniformly in s [6], while the problem studied here is closely related to hypercontractive inequalities which deteriorate as s increases. Our results show that the trivial algorithm is optimal up to a factor of (1 + δ(s)) k where δ(s) 0 as s. An interesting open problem is to find an almost optimal algorithm for large s, i.e., an algorithm whose agreement probability is provably optimal up to a factor of 2 o(k). It is quite possible 3

6 that the trivial protocol is optimal for some large fixed values of s and all large enough k. 2 Definitions and results A protocol for NICD is defined by two functions f, g [s] n [s]. Upon receiving their strings X, Y [s] n, the two parties compute f(x) and g(y ) respectively. The protocol is successful if both parties agree on the same output; that is, if f(x) = g(y ). Therefore, finding an optimal NICD algorithm is equivalent to finding functions f, g [s] n [s] which maximize P ɛ (f(x) = g(y )). In the introduction, we mentioned the requirement that f and g are uniformly distributed on [s] k. In fact, we will require less for our negative results and guarantee more in our positive results. In particular, for our negative results, we will only assume that f and g have min-entropy at most k, meaning that P(f(X) = z) s k for all z [s] and similarly for g. Of course, if f [s] n [s] k is uniformly distributed then it has min-entropy k. 2.1 Reduction to a question about sets Using an observation of [1], we can reduce the NICD problem to the problem of finding a sets A [s] n which maximize P ɛ (Y A X A). On the one hand, if we are given good functions f and g then we can find a set A such that P(Y A X A) is large: Theorem 2.1. For any functions f, g [s] n [s] having min-entropy k there is a set A [s] n with A s n k such that for every 0 ɛ 1, P ɛ (Y A X A) P ɛ (f(x) = g(y )). On the other hand, if we have a good set A then we can construct a function f by taking certain translates of A. Theorem 2.2. If A [s] n with 1 8 sn k A 1 4 sn k then there is a function f [s] n [s] k such that 1. f(x) is uniformly distributed on [s] k 2. f(x) is uniformly distributed on [s] k conditioned on f(x) = f(y ) 3. for every 0 ɛ 1, P ɛ (f(x) = f(y )) 1 16 P ɛ(y A X A). 4

7 Note that the f that we produce in Theorem 2.2 satisfies stronger requirement than the one that we require in Theorem 2.1. Indeed, the f from Theorem 2.2 is uniformly distributed instead of only having a small minimum entropy. Moreover, f(x) is uniformly distributed given f(x) = f(y ), which means that a successful execution of the protocol will result in the two parties having uniformly random strings. 2.2 Negative results on the performance of NICD In view of Theorems 2.1 and 2.2, the NICD problem reduces to the study of P ɛ (Y A X A) over sets A [s] n with a given cardinality. Actually, it turns out to be more convenient to normalize the cardinality instead of restricting it: Definition 2.3. For A [s] n, define M ɛ (A) = ln P ɛ(y A X A). ln P(A) To illustrate the definition, consider the set A = {x x 1 = = x k = 0}, which corresponds to the trivial algorithm that selects the first k symbols. In this case, P ɛ (Y A X A) = (1 (1 s 1 )ɛ)) k. Since P(A) = s k, it follows that M ɛ (A) = 1 ln s ln ( 1 1 (1 s 1 )ɛ ). (1) Our main result is that the above example is optimal as s. Theorem 2.4. For every δ, ɛ > 0 there exists S < such that for all n N and all s S, any set A [s] n satisfies M ɛ (A) 1 ln s ( ln 1 1 ɛ δ) Note that since ln P(A) is negative, Theorem 2.4 provides an upper bound on P ɛ (Y A X A) for all sets A of a fixed probability, and therefore an upper bound on the agreement probability of any NICD protocol. We remark that our proof extends to the case where the X i are chosen independently from some distributions whose smallest atoms are at most α. In this case, the theorem holds with s replaced by 1/α. As a corollary of Theorems 2.1 and 2.4, we obtain a bound on the performance of any NICD protocol. 5

8 Corollary 2.5. For any δ, ɛ > 0, there exists S < such that for all n, k N, for any s S, and for any NICD protocol f, g on [s] with min entropy at most k, the probability that the protocol succeeds with noise ɛ is at most (1 ɛ) k e δk. Since the success rate of the trivial protocol with min-entropy k is bigger than (1 ɛ) k, this shows that for large s, no protocol can be succeed with much higher probability than the trivial protocol. Proof. Fix a protocol f, g and let A be a set such that A s n k and P ɛ (Y A X A) P ɛ (f(x) = g(y )) (such an A exists by Theorem 2.1). Then Theorem 2.4 implies (recalling that ln P(A) is negative) ln P ɛ (Y A X A) ln P(A) ( log 1 1 δ) k( log ln s 1 ɛ 1 ɛ δ) Taking the exponential of both sides yields the corollary. Of course, we can also restate Corollary 2.5 for a fixed probability of success and a varying k: Corollary 2.6. For any δ, ɛ > 0, there exists S < such that for all n N, for all 0 < p < 1, for any s S, and for any NICD protocol f, g that succeeds with probability at least p, if k is the min-entropy of the protocol then the trivial protocol on k log(1 ɛ) log(1 ɛ)+δ symbols also succeeds with probability at least p. In other words, for a fixed probability of failure, a trivial protocol can recover almost as many symbols as any other protocol (when s is large). The dependence of S on δ and ɛ is not made explicit in our proof. However, our proof does provide a way to approximate S(δ, ɛ) on a computer; therefore, we produced a plot (Figure 1) showing the approximate value of S for various values of δ and ɛ. 2.3 An example: the Hamming ball As we have already mentioned, [1] showed that when s = 2, the trivial algorithm is optimal up to a constant factor; As we have just seen, this constant factor converges to 1 as s. However, [1] also gave a positive result: they gave an example that achieves optimal performance (at least, up to lower order terms and for a particular range of k and ɛ). Since their example can be generalized to s > 2, we can examine its performance as s, and compare it to the trivial algorithm. 6

9 δ ɛ =0.5 ɛ =0.1 ɛ = S Figure 1: The relationship, in log-log scale, between S and δ in Theorem 2.4 for various values of ɛ: 0.5 (solid), 0.1 (dashed), and 10 3 (dotted). For each of these values of ɛ, every point (s, δ) that is above the corresponding line, and every n N, all sets A [s] n satisfy M ɛ (A) 1 ln s (ln 1 1 ɛ δ). Define the set A s,α,n = {x [s] n #{i x i 0} n s 1 s α n}. In other words, A s,α,n is a Hamming ball around zero of radius n s 1 s α n. When s = 2, [1] showed that M ɛ (A 2,α,n ) ɛ/2 as n, t and ɛ 0 (note that this does not contradict Theorem 2.4, which only holds for sufficiently large s). Since the trivial algorithm has M ɛ (A) ɛ/(2 ln 2) for small ɛ, this shows that the Hamming ball NICD protocol is better than the trivial one for s = 2. The situation reverses, however, as s grows: Proposition 2.7. There exists a constant c such that for any s, α and ɛ, lim M ɛ(a s,α,n ) cɛ. n Since the trivial algorithm has M ɛ (A) ɛ/ ln s, it is better than the Hamming ball protocol when s is large. In terms of the agreement probability, an argument like the proof of Corollary 2.5 shows that the agreement probability of the Hamming ball protocol is at most (1 ɛ) ck ln s. In terms of the number of recovered symbols, the Hamming ball protocol with the same agreement probability as the k-symbol trivial protocol can only recover ck/ ln s symbols. 7

10 3 Reduction to a single set In this section, we will prove Theorems 2.1 and 2.2, which reduce the NICD problem to a question about optimal subsets of [s] n. The proof of Theorem 2.1 is straightforward, and essentially follows directly from the Cauchy- Schwarz inequality. Proof of Theorem 2.1. Suppose that f, g [s] n [s] k have min-entropy k. For z [s] k, let f z [s] n {0, 1} be the function Define g z (x) similarly. Then P ɛ (f(x) = g(y )) = 1, if f(x) = z, f z (x) = 0, otherwise. P ɛ (f(x) = g(y ) = z) z [s] k = Ef z (X)g z (Y ) z [s] k Efz (X)f z (Y ) Eg z (X)g z (Y ) z [s] k Ef z (X)f z (Y ) Eg z (X)g z (Y ), z [s] k z [s] k where both inequalities are Cauchy-Schwarz. For each z [s] k, let A z be the set f 1 (z). Since f has min-entropy k, A z s n k for all z. Let A be the A z which maximizes P ɛ [Y A z X A z ]. Then Ef z (X)f z (Y ) = P ɛ (f(x) = f(y ) = z) z [s] k z [s] k = z [s] k P ɛ (f(x) = z)p ɛ (Y A z X A z ) P ɛ (Y A X A). The idea behind Theorem 2.2 is, given a set A [s] n with 1 8 sn k A 1 4 sn k, to construct a partition of [s] n out of randomly translated copies of A. Let C [s] n, C = s k be the set of centers. We will choose C randomly; we will say how to choose it later. Let f C [s] n C to be some 8

11 function with the property that if x A+c for a unique c C then f C (x) = c. Clearly, then, P ɛ (f C (X) = f C (Y )) P ɛ (!c C such that X, Y A + c). (2) The goal is to find a C which makes the right-hand side large; this will allow us to prove property 3 in the second part of Theorem 2.1. Note, by the way, that it is sufficient to prove Theorem 2.2 with [s] k replaced by an arbitrary set C satisfying C = s k. Since such a C is in bijection with [s] k, the theorem as stated will follow. Lemma 3.1. Suppose that C is chosen (randomly) such that for any a, b [s] n, P(a, b C) = s 2(t n). Then E C P ɛ (f C (X) = f C (Y )) 1 P(ɛ(Y A X A). 16 In particular, there exists a fixed C such that f C Theorem 2.2. satisfies property 3 of Proof. We begin from the right-hand side of (2): P ɛ (!c C such that X, Y A + c) (3) E C P ɛ (X, Y A c ) (1 P ɛ (X or Y A c X, Y A c )) c C c c = s k E c P ɛ (X, Y A c ) (1 (s k 1)E c P ɛ (X or Y A c X, Y A c )). (4) By our assumption on the distribution of C, c c is uniformly random given c. Thus E c P ɛ (X or Y A c X, Y A c ) 2E c P ɛ (X A c X, Y A c ) where the last line follows because A s n k /4. Plugging this into (4), 2P ɛ (X A) s k /2, E C P ɛ (f(x) = f(y )) sk 2 P ɛ(x, Y A) = P ɛ(y A X A). 16 To check properties 2 and 3, we need to be a little more specific about our choice of f C. So far, we have only assumed that f C (x) = c if c is the only member of C with x A + c. Now, take to be some total order 9

12 on [s] n with the property that x y whenever x A, y / A. Then define f C (x) = arg min c C (x c) (where the arg min is taken with respect to the ordering ). This defines f C on all of [s] n, and it has the property that we required before: if f C (x) A + c for a unique c, then f C (x) c A and f C (x) c / A for every c c. By our requirement on, f C (x) c f C (x) c for every c c and so f C (x) = c. Lemma 3.2. If there is a subgroup G ([s] n, +) and some a [s] n such that C = G + a, then f C satisfies properties 1 and 2 of Theorem 2.2. Proof. For any g G, f C (x + g) = arg min c C (x (c g)) = g + arg min c C g (x c) = f C (x) + g, since C g = C. Moreover, note that the distribution of (X, Y ) is invariant under translation, in the sense that for any fixed g [s] n, (X, Y )+g d = (X, Y ). Hence, P(f(X) = c) = P(f(X + g) = c) = P(f(X) = c + g) for any c C, g G. Since G acts transitively on C, this implies that P(f(X) = c) = 1/ C = s k ; in other words, f(x) is distributed uniformly on C. Similarly, P(f(X) = f(y ) = c) = P(f(X) = f(y ) = c + g) for any c C, g G and so P(f(X) = f(y ) = c) = s k P(f(X) = f(y )); in other words, f(x) is uniformly distributed on C conditioned on f(x) = f(y ). Proof of Theorem 2.2. To prove Theorem 2.2, we need to find a set C which satisfies the hypotheses of Lemmas 3.1 and 3.2. In [1], they chose C to be a uniformly random k-dimensional affine subspace of [2] n, but since [s] n is not a vector space for every s, we will need something slightly more complicated. Let s = m i=1 pj i i be the prime factorization of s. By the Chinese remainder theorem, the group ([s] n, +) is isomorphic to m i=1 ([p i] nj i, +); let φ i ([p i ] nj i, +) [s] n be an isomorphism. Independently for each i = 1,..., m and j = 1,..., k i, let G i,j be a uniformly random k-dimensional subspace of [p i ] n (which is a vector space), and let a i,j be a uniformly random element of [p i ] n. Finally, define C = φ( i,j (a i,j + G i,j )) = φ( 10 i,j a i,j ) + φ( G i,j ). i,j

13 Since φ( i,j G i,j ) is a subgroup of [s] n, the condition of Lemma 3.2 is satisfied with probability 1. To check the condition of Lemma 3.1, note that for any b = i,j b i,j and c = i,j c i,j in m i=1 [p i] nk i, P(b i,j, c i,j a i,j + G i,j ) = p 2(n k) i because G i,j is a uniformly random k-dimensional subspace of [p i ] n. Since the a i,j and G i,j are independent, it follows that P(φ(b), φ(c) C) = P (a i,j, b i,j C i,j ) = s 2(n k). i,j That is, the distribution of C satisfies the condition of Lemma 3.1. In particular, there exists a non-random C that belongs to the support of C, and which also satisfies condition 3 of Theorem 2.2. By the previous paragraph, the fact that it belongs to the support of C implies that it also satisfies conditions 1 and 2. 4 An upper bound on agreement The proof of Theorem 2.4 uses a hypercontractive inequality in much the same way as it was used in [1]. The difference here is that [1] used only the hypercontractive inequality over the two-point space with the uniform measure, while we need one that applies to spaces with more than two points. Before stating this hypercontractive inequality, we need to define the appropriate Bonami-Beckner-type operator: for a function g [s] R, and some 0 < τ < 1, define S τ g = τg + (1 τ)eg. Thus, for any 0 < τ < 1, and any 1 p, q, S is an operator L p ([s]) L q ([s]). We define T τ L p ([s] n ) L q ([s]) n by T τ = Sτ n. The operator T τ can also be written in terms of the Fourier expansion of f; see [10] for details. For us, the crucial property of T τ is that E ɛ f(x)f(y ) = E(T τ f) 2 (5) when τ = 1 ɛ. This fact was used in [1] for s = 2 to establish Theorem 2.4 in that case. The following hypercontractive inequality is due to Oleszkiewicz [8]: Theorem 4.1. Fix s N and set α = 1 s, β = 1 α. Define σ(α, p) = ( β2 2/p α 2 2/p 1/2 α 1 2/p β β 1 2/p α ). 11

14 Then for any f [s] n R, if τ σ(α, p) then T τ f 2 f p. We remark that the reason for not having an explicit S(δ) in Theorem 2.4 and its corollaries is that we do not know how to solve for p in terms of σ(α, p). However, an approximate solution can easily be found on a computer, and we used such an approximation to produce Figure 1. To obtain Theorem 2.4, it suffices to study the limit of σ(α, p) as α 0. Essentially, σ 2 (α, p) α 1 2/p for small α, and so if we take p to be slightly larger than what is needed to solve α 1 2/p = 1 ɛ, then we will have σ(α, p) 1 ɛ. This will allow us to apply Theorem 4.1 with τ = 1 ɛ. Lemma 4.2. Let p = p(α, δ, ɛ) solve α (2/p 1) δ/ ln α = 1 ɛ. Then for any δ > 0 and ɛ (0, 1), there is an A(δ, ɛ ) > 0 such that α < A(δ, ɛ ) implies that for all ɛ (0, ɛ ), σ 2 (α, p(α, δ, ɛ)) 1 ɛ. Proof. Note that the definition of p ensures that p < 2 for all α, δ, ɛ. By the definition of σ, σ 2 (α, p)α 1 2/p = β2 2/p α 2 2/p β α 2/p β 1 2/p β2 2/p α 2 2/p. (6) Fix ɛ and δ, and note that as α 0, 2 2/p 1 uniformly for all ɛ (0, ɛ ). Hence, the right-hand side of (6) converges to 1 (uniformly in ɛ) as α 0. Plugging in the definition of p, σ 2 (α, p) 1 ɛ = σ 2 (α, p)α 1 2/p α δ/ ln α (1 o(1))e δ. In particular, the limit of the right hand side is strictly smaller than one, and so σ 2 (α, p) 1 ɛ for sufficiently small α. Proof of Theorem 2.4. Fix ɛ, δ > 0. Let A and p be as in Lemma 4.2 and define S = 1/A. If s S then α = 1/s A and so Lemma 4.2 implies that σ 2 (α, p) 1 ɛ. Thus, (5) and Theorem 4.1 imply that P ɛ (X, Y A) = T 1 ɛ 1 A A 2 p = P(A) 2 p. 12

15 Hence, P ɛ (Y A X A) P(A) 2/p 1. Taking the logarithm and dividing by ln P(A) (which is negative), we have 5 Hamming ball M ɛ (A) = ln P ɛ(x, Y A) ln P(A) 2 p 1 = ln 1 1 ɛ ln s δ ln s. In this section, we consider the example of the Hamming ball A s,α,n consisting of x [s] n such that #{i x i = 0} n s α n. This is an interesting example because [1] showed that if α is sufficiently large (depending on ɛ), then as n, A 2,α,n achieves the upper bound of Theorem 2.4. We will show, however, that this is no longer true for large s. Note that 1 X1 =0 has mean 1 s 1 s and variance. Thus, the Berry-Esséen s 2 theorem implies that for any fixed α and s, P(A s,α,n ) P(Z αs ) (7) s 1 as n, where Z N (0, 1). Moreover, if (Z 1, Z 2 ) N (0, ( 1 1 ɛ 1 ɛ 1 )) then P ɛ (X, Y A s,α,n ) P(Z 1, Z 2 αs ). (8) s 1 In particular, by studying normal probabilities we can use (7) and (8) to compute lim n M ɛ (A s,α,n ). Lemma 5.1. Suppose that (Z 1, Z 2 ) N (0, ( 1 ɛ 1 1 ɛ 1 )). There is a sufficiently small constant c such that for all t > 0 and 0 < ɛ < 1, P(Z 1 t Z 2 t) P(Z 1 t) cɛ. Lemma 5.1 has the following immediate consequence for M ɛ (A s,α,n ): Corollary 5.2. There exists a constant c such that for any s and α, lim M ɛ(a s,α,n ) cɛ. n By comparison, the trivial protocol A = {x x 1 = = x k = 0} has M ɛ (A) = 1 ln s ln ( 1 1 (1 s 1 )ɛ ) C ɛ ln s. In particular, for a fixed success probability and a sufficiently large alphabet s, the trivial protocol recovers c ln s times as many symbols as the Hamming ball protocol. 13

16 Proof of Corollary 5.2. According to (7) and (8), M ɛ (A s,α,n ) log P(Z 1 αs s 1 Z 2 αs log P(Z 1 αs s 1 ) s 1 ) Now apply Lemma 5.1 to the numerator (recalling that the denominator is negative): log P(Z 1 αs ) cɛ s 1 lim M ɛ (A s,α,n ) = cɛ. log P(Z 1 αs ) s 1 Proof of Lemma 5.1. The proof makes use of the Ornstein-Uhlenbeck semigroup P t, defined by where Z N (0, 1). states that (P τ f)(x) = Ef(e τ x + 1 e 2τ Z), The Nelson-Gross [2, 7] hypercontractive inequality (EP τ f(z) q ) 1/q (E f(z) p ) 1/p (9) whenever q 1 + e 2τ (p 1). If we set f(x) = 1 x t and τ = log(1 ɛ), then P(Z 1, Z 2 t) = Ef(Z 1 )f(z 2 ) = Ef(Z)P τ f(z) = E(P τ/2 f(z)) 2. Thus, (9) with q = 2 and p = 1 + e 2τ = 1 + (1 ɛ) 2 implies that 2 P(Z 1, Z 2 t) (Ef(Z)) 1+(1 ɛ) 2 = P(Z 2 t) 1+(1 ɛ) 2 P(Z 2 t) 1+cɛ. 2. Hence, P(Z 1 t Z 2 t) P(Z 1 t, Z 2 t) P(Z 2 t) P(Z 2 t) cɛ. References [1] A. Bogdanov and E. Mossel. On extracting common random bits from correlated sources. IEEE Transactions on information theory, 57(10): , Arxiv [2] Leonard Gross. Logarithmic Sobolev inequalities. Amer. J. Math., 97(4): ,

17 [3] D. Lim, J.W. Lee, B. Gassend, G.E. Suh, M. Van Dijk, and S. Devadas. Extracting secret keys from integrated circuits. IEEE Transactions on Very Large Scale Integration (VLSI) Systems, 13(10): , [4] E. Mossel, R. O Donnell, and K. Oleszkiewicz. Noise stability of functions with low influences: invariance and optimality (extended abstract). In 46th Annual IEEE Symposium on Foundations of Computer Science (FOCS 2005), October 2005, Pittsburgh, PA, USA, Proceedings, pages IEEE Computer Society, [5] E. Mossel, R. O Donnell, O. Regev, J. E. Steif, and B. Sudakov. Noninteractive correlation distillation, inhomogeneous Markov chains, and the reverse Bonami-Beckner inequality. Israel J. Math., 154: , [6] E. Mossel, K. Oleszkiewicz, and A. Sen. On reverse hypercontractivity [7] Edward Nelson. The free Markoff field. J. Functional Analysis, 12: , [8] K. Oleszkiewicz. On a nonsymmetric version of the Khinchine-Kahane inequality. Progress In Probability, 56: , [9] Y. Su, J. Holleman, and B.P. Otis. A digital 1.6 pj/bit chip identification circuit using process variations. Solid-State Circuits, IEEE Journal of, 43(1):69 77, [10] P. Wolff. Hypercontractivity of simple random variables. Studia Mathematica, pages , [11] Ke Yang. On the (im)possibility of non-interactive correlation distillation. Theoretical Computer Science, 382(2): , [12] H. Yu, P.H.W. Leong, H. Hinkelmann, L. Moller, M. Glesner, and P. Zipf. Towards a unique FPGA-based identification circuit using process variations. In 19th International Conference on Field Programmable Logic and Applications, pages IEEE,